grep using icmpv6 and ptrace?

So in the line of 'can you trust the upstream', one of the docker containers I used to do a build causes this to be emitted to the kernel log. And I cannot fathom a legitimate reason grep would be doing either networking or ptrace.

[1121294.488937] ICMPv6: process `grep' is using deprecated sysctl (syscall) net.ipv6.neigh.eth0.base_reachable_time - use net.ipv6.neigh.eth0.base_reachable_time_ms instead
[1121296.349670] ptrace attach of "bash"[12928] was attempted by "grep --color=auto -ir coffee-script . .. .babelrc .git .gitignore .nvmrc .scss-lint.yml .travis.yml .tx"[24230]
[1121296.349738] ptrace attach of "bash"[12928] was attempted by "grep --color=auto -ir coffee-script . .. .babelrc .git .gitignore .nvmrc .scss-lint.yml .travis.yml .tx"[24230]
[1121296.350034] ptrace attach of "bash"[12928] was attempted by "grep --color=auto -ir coffee-script . .. .babelrc .git .gitignore .nvmrc .scss-lint.yml .travis.yml .tx"[24230]

Now, I have seen linux rootkits that modify e.g. netstat (for 2 reasons, 1 is to prevent you from seeing open sockets, and the other is to cause a command that you will run as root to have a payload and thus activate).

Does anyone have any info on a legitimate reason this would occur?

3 comments on “grep using icmpv6 and ptrace?
  1. db Zac says:

    Note: I am not a kernel hacker (but you knew that, hi!).

    My guess would be that the grep process is trying to walk /proc, so is hitting things like /proc/sys/net/ipv6 and /proc/12928/stat or what have you. Obviously this is still wrong: cwd of the grep process should likely be something else.

  2. db db says:

    so that is a great theory. I’m not sure how it would explain the ptrace, but lets give it a try.

    So, the ptrace. If I take a container, and run the grep willy-nilly across /proc, sure enough it finds pid 1 (which is bash), and attempts a ptrace:

    ptrace attach of “bash”[25305] was attempted by “grep –color=auto -ir bar /”[25609]

    # ps -ef
    UID PID PPID C STIME TTY TIME CMD
    root 1 0 0 19:40 pts/0 00:00:00 bash
    root 16 1 0 19:42 pts/0 00:00:00 ps -ef

    and presumably 25305 is the unmapped pid:

    $ ps wwp 25305
    PID TTY STAT TIME COMMAND
    25305 pts/0 Ss+ 0:00 bash

    so you are correct!

    Thanks.

    • db Zac says:

      Yah so the question is why is something grepping blindly through /proc — doesn’t sound good.

Leave a Reply

Your email address will not be published. Required fields are marked *

*